White Hat Institute

“Defend the Web” write-up (Intro 2)

“Defend the Web” write-up (Intro 2 — HTML tag information leak)

Data Leakage is an application flaw in which sensitive data, such as web application technical information, context, or user-specific data, is revealed. An attacker could utilize sensitive data to gain access to the target web application, its hosting network, or its clients. As a result, if possible, sensitive data leakage should be avoided or prevented. In its most basic form, information leakage is caused by one or more of the following factors: Failure to scrub out HTML/Script comments containing sensitive data, incorrect application or server configurations, or variations in page replies for valid and invalid data.

HTML tags are bits of code that search engines can use to describe our content. HTML tags can be used to emphasize essential areas of our content, describe images, and even provide search engine bots instructions. HTML tags are also utilized to alter the appearance of our pages in search results. We can make standard search snippets into rich snippets, and possibly even featured snippets, with the help of particular tags.

Let’s poke around and view the source code to analyze deeper.

Defend the Web Intro 2-1

Press on “CTRL + F” and search for the word “password”. You’ll be able to see a password in clear text, and the HTML tag with an unusual color style (rgba).

Defend the Web Intro 2-2

The letters RGBA stand for red, green, blue, and alpha. While it’s commonly referred to as a color space, it’s actually a three-channel RGB color model with an alpha channel added on top. Alpha indicates how opaque each pixel is and enables alpha blending, which allows transparent areas and anti-aliasing of the borders of opaque parts to be blended over others.

redDefines the intensity of red as an integer between 0 and 255, or as a percentage value between 0% and 100%

greenDefines the intensity of green as an integer between 0 and 255, or as a percentage value between 0% and 100%

blueDefines the intensity of blue as an integer between 0 and 255, or as a percentage value between 0% and 100%

alphaDefines the opacity as a number between 0.0 (fully transparent) and 1.0 (fully opaque)

So, in this case, the username and the password fields are written in %100 opaque color style. It means that when you highlight the username and the password fields you will be able to view all the contents.

Defend the Web Intro 2-3

Information Leakage can also occur when pages deliver varied results depending on the legitimacy of the data, particularly when data that is deemed secret is released as a result of the online application’s architecture. Account numbers, user identifiers (driver’s license numbers, passport numbers, Social Security numbers, and so on), and user-specific information are examples of sensitive data. In this context, information leakage refers to the disclosure of sensitive user data that should not be exposed in plain sight, even to the user. Even with sufficient encryption and access controls in place, credit card numbers and other highly regulated information are great examples of user data that must be further protected against exposure or leakage.